DoC, DHS See Botnet Expansion, Need for Counteracting Policies

A new report from the Departments of Commerce (DoC) and Homeland Security (DHS) suggests that the proliferation of botnets and the automated, distributed cyber attacks they generate will cause greater problems for Federal agencies absent a robust government response to the problem that includes a proper mix of funding, policies, and public-private collaboration.

Federal agency exposure to botnet attacks, the report says, will only worsen as the Internet of Things (IoT) continues to grow.

But despite sounding the alarm about the growing danger of botnets in the IoT era, the report offers only mostly aspirational policy advice for confronting the problem, rather than concrete steps that may require government action in law or regulation.

DoC and DHS released the report Wednesday following a year of research that was prompted by President Trump’s Cyber Executive Order in May 2017. The agencies consulted with the Departments of Defense, Justice, and State, the Federal Bureau of Investigation, sector-specific agencies, the Federal Communications Commission, and the Federal Trade Commission, in addition to conducting substantial private sector and industry outreach.

The report outlines six principal themes that summarize the increasing prevalence and implications of botnets and automated, distributed attacks: they are a global problem; tools to mitigate them exist, but aren’t widely used; products aren’t secured during all stages of their lifecycle, making exploits easier; more awareness and education on the subject are needed; market incentives don’t prompt developers to build in better security; and no stakeholder community can address the attacks in isolation.

Join us on June 14 at the Marriott Marquis in D.C. as we drill down on the strategies and solutions needed to support an agile, flexible, scalable – and secure – digital government. Learn more and registerSo, what are the main takeaways for the Federal government? Among five main goals, more than two dozen action steps, and numerous other recommendations made in the report, DoC and DHS have described an aspirational system that would encourage better practices across government and private sector siloes.

One of the report’s chief areas of concern appears to be IoT.

“With new botnets that capitalize on the sheer number of ‘Internet of Things’ (IoT) devices, DDoS [distributed denial of service] attacks have grown in size to more than one terabit per second, far outstripping expected size and excess capacity,” the report states.

As IoT-connected devices proliferate exponentially and give cybercriminals more potential capital for exploitation, the report calls on the Federal government to partner with industry to establish minimum security baselines for IoT devices in commercial, industrial and government environments.

In practical application, though, the report says consumer IoT products “should be easy to understand and simple to use securely,” so that individual users don’t unknowingly contribute to distributed attacks when their systems are compromised.

“To enhance the resilience of the Internet and communications infrastructure, coordinated actions that cross geopolitical, public-private, industrial sector, and technical boundaries must become easier to implement,” the report states.

Other aspirational goals include greater information-sharing between stakeholders, public awareness campaigns so users know the risks of botnet attacks, and new programs in academia to foster security innovation.

Acknowledging that government may not have all the answers, DoC and DHS are still calling upon the Federal government to lead the charge.

“The Federal government should lead by example and demonstrate practicality of technologies, creating market incentives for early adopters,” the report says. “The federal government is also uniquely positioned to lead the international engagement required to establish broadly accepted policies and best practices and will enhance coordination with stakeholders on these efforts.”